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The Workshop on Secure Vehicular Communica- 
tions: Results and Challenges Ahead took place in 
February 20-21, 2008, on the EPFL campus, Lau- 
sanne, Switzerland. The event brought together ex- 
perts, from a variety of organizations, working on ve- 
hicular communication systems, security and privacy. 
The fourteen presentations offered an overview of the 
latest results and reflected the views of public author- 
ities, academia, and industry. During the one and a 
half days of the workshop, the thirty-five attendees 
had the opportunity to have an in-depth discussion on 
future research and development directions for vehic- 
ular communication systems security and privacy. 

The developments in the area of vehicular networks 
and communication systems, and the increasing atten- 
tion from industry, academia and authorities, moti- 
vated us to organize this workshop. Vehicular com- 
munications (VC), including vehicle-to-infrastructure 
(V2I) and vehicle-to-vehicle (V2V) communication, 
with the latter leading to vehicular ad hoc networks 
(VANETs), lie at the core of a number of research 
initiatives. They aim to enhance transportation safety 
and efficiency, with applications that provide, for ex- 
ample, warnings about environmental hazards (e.g., 
ice on the pavement), traffic and road conditions (e.g., 
emergency braking, congestion, or construction sites), 
and local (e.g., tourist) information. 

Nonetheless, the unique features of VC are a 
double-edged sword: the rich set of tools they of- 
fer make possible a formidable set of abuses and at- 
tacks. Consider any wireless-enabled device that runs 
a rogue version of the vehicular communication pro- 
tocol stack and injects forged messages or meaning- 
fully modifies messages transmitted by vehicle on- 
board communication units; or a vehicle that forges 
messages in order to masquerade an emergency vehi- 
cle and mislead other vehicles to slow down and yield. 
Furthermore, it is possible for the vehicles and their 
sensing, processing, and communication platforms to 
be compromised. Worse even, it is not difficult to 
consider a node could 'contaminate' large portions 
of the vehicular network with false information: for 



example, a single vehicle can transmit false environ- 
mental hazard warnings that can then be taken up by 
all vehicles in both traffic streams. From a different 
point of view, consider a large number of wireless ac- 
cess points deployed across an urban area, or along a 
highway (at rest areas, gas stations, etc). With such 
a wireless infrastructure receiving transmissions from 
passing by vehicles, anyone that obtained access to 
such data could easily infer private information about 
the drivers and the vehicle passengers: their locations, 
their routes, their communications and transactions. 

These simple examples of abuse indicate that in all 
circumstances vehicular communications must be se- 
cured and the privacy of their users should be pro- 
tected. It appears that the security of VC systems and 
the protection of their users' privacy are indispens- 
able. Otherwise, these systems could make anti-social 
and criminal behavior easier than it is today without 
the VC technology. If this were the case, the benefits 
of deploying VC systems would be in jeopardy. 

It is our belief that security and privacy concerns for 
vehicular communication systems should, and hope- 
fully will, be addressed before the deployment of VC 
systems. It is our hope that this venue provided a sur- 
vey of the state-of-the-art solutions, cross-pollinated 
research and development efforts in two continents, 
increased further awareness, and thus contributed to- 
wards the objective of trustworthy vehicular commu- 
nication systems. 

Workshop Summary 

The workshop was opened by the remarks of Panos 
Papadimitratos and Jean-Pierre Hubaux of EPFL. The 
first session, chaired by P. Papadimitratos, set the 
stage, providing an update on recent developments 
on vehicular communications and applications, as 
well as a framework for the coordination of efforts 
to secure vehicular communication systems. 

Wai Chen of Telcordia delivered the first presen- 
tation, covering numerous aspects on the activities 
within the VII initiative of the US Department of 



Transportation (DoT), insights from deployment ex- 
perience in Japan, implementation and field tests 
within the VII initiative, as well as a perspective on the 
role of security. The second talk, by Tobias Gansen of 
AUDI, presented the point of view of his organiza- 
tion on VC-enabled applications that appear plausible 
and likely to be deployed. He termed these applica- 
tions as "Dreams," in contrast to "Nightmares" that 
are use-cases that can lead to significant problems, 
notably due to security. The first session was com- 
pleted by the presentation of Antonio Kung of TRIA- 
LOG, which presented the scope and activities of the 
eSafety Security Working Group, which, co-chaired 
by A. Kung, has a role of providing recommendations 
to the European Commission for future research di- 
rections. 

The late afternoon session, chaired by A. Kung, 
focused on policy and standardization issues re- 
lated to vehicular communications and efforts to se- 
cure those systems. The first presentation, by Emilio 
Davilla-Gonzalez. of the European Commission, fo- 
cused on policy and organizational challenges for VC 
security. The second talk was delivered by William 
Whyte of NTRU, who also heads the security efforts 
of the IEEE 1609 working group on security. His pre- 
sentation covered all the activities and latest develop- 
ments within the VII initiative of the US DoT. The 
session closed by Benjamin Weyl of BMW Research, 
who presented the activities and a roadmap of actions 
of the Car-to-Car Communication Consortium (C2C- 
CC) towards securing VC. 

The second day opened with a session chaired by 
Bart Preneel of K.U. Leuven. The two presentations 
in this session focused on solutions and approaches 
to secure VC systems. R Papadimitratos covered the 
activities and results at EPFL and within the SeVe- 
Com project; based on these results and on-going 
work, he discussed upcoming steps towards trustwor- 
thy VC systems. The presentation of Christof Paar 
of Ruhr University - Bochum concerned security ap- 
plications in cars. In particular, C. Paar showed how 
cryptographic operations, such as signature verifica- 
tions, can be done at high rates, as real-time support 
will be necessary in vehicular communications. He 
also demonstrated how to break key-less car entry sys- 
tems with a side-channel attack against a popular ci- 
pher and protocol. 

The second morning session, chaired by Albert 
Held of Daimler, offered presentations on privacy en- 
hancing technologies. The first talk, by Bart Preneel 
of K.U. Leuven, discussed concepts and products that 
enable pay-as-you-drive insurance, and then proposed 



and discussed the practicality of PriPAYD, a scheme 
that researchers at K.U. Leuven devised to protect the 
privacy of the insured driver. The second talk, by 
Thomas Heydt -Benjamin of IBM Research, presented 
certain privacy and identity management mechanisms, 
notably those that are part of the systems developed in 
the context of the European project PRIME. 

The rest of the day unfolded with a demonstra- 
tion session and a single-talk session on secure posi- 
tioning, both chaired by C. Paar. Demonstrations al- 
lowed the attendees to familiarize themselves with the 
PRIME prototype on location based services (presen- 
tation by T. Heydt-Benjamin), a network-traffic joint 
simulation tool TraNS (presentation by Maxim Raya 
of EPFL), and the DENSO hardware platform that is 
used by the VII initiative (presentation by Tim Lein- 
mueller of DENSO). After the demos, the talk on 
secure positioning was delivered by Neil Warfield of 
GSA; he explained the concepts and latest develop- 
ments towards deployment of the Galileo navigation 
system and the security services that Galileo is envi- 
sioned to offer. 

The panel that followed had the topic "Secure ve- 
hicular communications: What are the main re- 
search challenges left?" and it was chaired by Jean- 
Pierre Hubaux. The panelists, W. Whyte, A. Held, 
and E. Davila-Gonzalez, proposed topics that need to 
be addressed in the future, towards a successful de- 
ployment of VC systems. 

The closing session, chaired by Stefano Cocsenza 
of CRF, presented developments on in-car security 
and secure communication protocols. The first 
talk, delivered by A. Held and prepared jointly with 
Thomas Eymann of Bosch, covered requirements and 
approaches to develop solutions securing in-car com- 
munication systems. Andreas Festag of NEC Labs 
presented certain mechanisms to secure geographical 
information assisted communication (Geocast) and 
enhance its privacy. The final presentation, delivered 
by Frank Kargl of the University of Ulm, continued on 
secure vehicular communication, proposing a number 
of emerging related topics to address. 

In the rest of this paper, we provide a number of 
abstracts provided by the presenters themselves. The 
abstracts are presented in subsequent sections, in the 
order the corresponding presentations were made. We 
thank all the speakers for their contributions to this 
article and for their presentations that are available on 
the workshop websiteQ 
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Some Recent Results on Vehicle 
Communications - Opportunities and 
Challenges 

Wai Chen, Telcordia Technologies 

Significant research efforts have been aimed at in- 
tegrating communication and computing technologies 
into vehicles and roadway infrastructure. The objec- 
tive is to improve preventive vehicle safety, reduce 
traffic congestion, and enable new applications such 
as diagnostics, mobile commerce, and entertainment. 
Industrial and governmental efforts are underway to 
accelerate the introduction of V2V / V2I communi- 
cations functions including, e.g., the European C2C- 
CC and SeVeCom; the US VII and CAMP/VSC-2; 
the Japanese AHS / Smartway; and ASV, ISO/CALM, 
IEEE WAVE, and ETSI TC ITS. 

Much of the recent research has been directed at 
seamless networking technology to effectively uti- 
lize heterogeneous communication media for vehicle 
users, and ad hoc networking technology for V2V and 
V2I communications. The combination of the require- 
ments of emerging applications and characteristics of 
the roadway environments poses new challenges to 
the design of vehicular communication systems: to 
achieve high reliability, low latency, and data secu- 
rity in roadway environments. The mobility of ve- 
hicles can result in rapid network topology changes, 
node density fluctuations and constantly changing en- 
vironment conditions. This could overwhelm the lim- 
ited bandwidth of the radio links if the communication 
protocols are not well designed. 

At the lower layers, there have been many efforts to 
design radio technologies that are tailored to commu- 
nications in roadways. V2V channel modeling and ef- 
fects on communications pose new challenges, given 
that vehicles, both sending and receiving, can move 
at high speeds in roadway environments and the an- 
tennas are mounted at low vehicle heights. The ve- 
hicular applications require an efficient use of broad- 
cast, multicast, and unicast in a heterogeneous net- 
work consisting of moving vehicles and stationary 
roadside units. A lot of efforts have been focused on 
designing MAC and network protocols among vehi- 
cles or roadside units that can support cooperative in- 
formation downloading and emergency warnings dis- 
tribution, among others. In terms of broad approaches, 
some efforts focus on one-hop broadcasting as the 
basic model; whereas others focus on using a vehi- 
cle group as a manageable unit for ad hoc communi- 
cations to achieve controls over group size, message 
direction, and coordination (in transmission, routing, 



and multicast). Although feasible validation involv- 
ing many vehicles remains a challenge, it is crucial to 
develop simulation capabilities for high-fidelity per- 
formance evaluations. 

Initially, the densities will be low for equipped ve- 
hicles and roadside units that can be costly to deploy. 
Whereas preventive safety generally requires high- 
density of equipped vehicles to be effective, some ex- 
periments have shown that even low-density deploy- 
ment levels can be beneficial to the reduction of traffic 
accidents. 

Achieving security for applications and network- 
ing, and maintaining driver privacy in roadway envi- 
ronments are also crucial challenges, and as such have 
received much attention (e.g., the European SeVeCom 
and the US VII-C, among others). 

Car-2-X Challenges - Dreams and 
Nightmares 

Tobias Gansen, Lars Wischhof, Andr Ebner, and 
Ingrid Paulas, Audi Electronics Venture GmbH / 
AUDI AG 

The various projects in the area of Car-2-X com- 
munication have generated many different use-cases, 
which in turn have contributed to make the overall 
Car-2-X system complex and expensive. However, the 
rich variety of projects and initiatives such as the Car- 
2-Car Communication Consortium has successfully 
put this promising technology at center stage QJ. Cus- 
tomers, decision makers, as well as authorities show 
great interest in Car-2-X technology and expect noth- 
ing less than what the early visionaries of the field ex- 
pected: the improvement of safety, mobility and com- 
fort. It is now at us to make it real. 

Car-2-X Use-Cases of Audi 

The Audi focus of Car-2-X use-cases is mainly on 
augmenting existing systems or sensors and on use- 
cases seeming to be relatively easy to introduce with 
immediate customer benefit. The usage of single hop 
broadcast in combination with a store-and-forward 
mechanism enables many delay tolerant use-cases 
such Decentralized Floating Car Data, Obstacle Warn- 
ing or Vehicle Based Road Condition Warning. Sim- 
ulations have shown that highly efficient systems are 
feasible with penetration rates as low as 2% on high- 
way scenarios l23l . Although these use-cases still re- 
quire a minimum penetration rate, Traffic Light and 
Signage Assistance will create customer benefit start- 
ing with the first traffic light equipped JH. More time 



critical safety use-cases like Pre-Crash Sensing and 
Preparation or Intersection Collision Warning are cur- 
rently under investigation, but they require additional 
research not limited to technical examinations. 



Use-Cases to Avoid 

Although many of the use-cases currently discussed 
are interesting on an academic basis, some of them 
are not attractive to OEMs. We as OEMs should 
have the strong desire to support the drivers of our 
cars, not to harass them. Therefore, all types of non- 
interactive safety inspections like Electronic License 
Plate should be avoided, from our point of view. This 
is also the case with the possibly cloaked introduction 
of a driver's log under the hood of the Car-2-X system. 
Such a system would not only add additional secu- 
rity requirements but may even discourage customers 
from choosing a Car-2-X enabled car. The definition 
of a flexible baseline security architecture ll20l [141 by 
the SeVeCom project and the detailed analysis of the 
different requirements lfl9l in combination with up- 
coming field operational tests can bring this technol- 
ogy one step closer to broad series introduction. 



Vehicle Security in VII 

William Whyte, NTRU Crypto systems, Inc 

Vehicle Infrastructure Integration (VII) is a US De- 
partment of Transportation (DoT)-sponsored initiative 
to enable vehicle-to-vehicle and vehicle-to-roadside 
communications in the 5.9 GHz bandU The IEEE 
standards 1609.* and 802. lip standardize the com- 
munications stack. The first generation of IEEE stan- 
dards was issued in 2006-7. And since mid-2006, the 
initiative has expanded from standardization work to a 
full-scale Proof of Concept (PoC) project, developing 
prototypes of both on-board equipment (OBEs) and 
roadside equipment (RSEs), as well as applications to 
run on the OBEs and RSEs and across the backhaul 
network. Field tests of the PoC systems have been 
underway since Q4 2007 and should conclude in Q2 
2008. 

IEEE 1609.2 is the standard for secure messaging 
in the VII setting. The security work in VII PoC was 
based on 1609.2 but considerably widened the scope. 
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Types of Communication and Security 
Mechanisms in VII 

In addition to standard security requirements, in 
the VII system OBEs must have a guarantee of 
anonymity. This means that it should be difficult for 
an attacker, based on VII transmissions alone, to de- 
termine (a) that a specific transmission has come from 
a specific vehicle or (b) that two specific transmissions 
have come from the same vehicle (unlinkability). Typ- 
ical communications scenarios include: 
Traffic advisory or WSA multicast from RSE - re- 
quires authentication. Supported by 1609.2 without 
modification. 

Safety-of-life multicast from vehicle - requires au- 
thentication, anonymity. Required extension to 1609.2 
to define anonymous mechanisms. 
Tolling - established by WAVE Service Advertise- 
ment (WSA), requiring RSE authentication); there- 
after communications need confidentiality, authenti- 
cation, and possibly non-repudiation. Addressed by 
the development of V-DTLS, a variant of Datagram 
TLS optimized for the VII setting to reduce round-trips 
and message size. 

Lengthy communication with backhaul - requires 
WSA authentication and an establishment of a secure 
session that can survive as the OBE moves between 
RSE communications zones. Addressed by the devel- 
opment of V-HIP, a variant of the IETF Host Iden- 
tity Protocol optimized to address anonymity require- 
ments. 

Communications with the CA - Addressed by modi- 
fications and extensions to 1609.2. 

Additional Research 

Anonymity was supported by the so-called combina- 
torial method of creating N (= about 10,000) private 
key/certificate pairs and issuing n (= about 5) of those 
N pairs to each vehicle at random. Extensive simu- 
lation showed this to have good anonymity properties 
but to be fragile against large-scale attacks where the 
attacker compromises a large number of vehicles. 

The certificate issuance mechanism separated the 
roles of issuing CA and authorizing CA; the two CAs 
must collude to compromise anonymity. 

Extensive research was carried out on the mechan- 
ics for CRL distribution for OBE certificates. 

Project participants also developed a cryptographic 
hardware accelerator capable of performing 250 
ECDSA verifications a second. 



eSafety Security Working Group 

Antonio Kung, TRIALOG 

The eSecurity Working Group is part of the eSafety 
forum, which brings together the European Commis- 
sion, the industry, public authorities and other stake- 
holders to co-ordinate the advent of road safety ap- 
plications. The WG was established in early 2007 to 
address the growing concern that the deployment of 
intelligent vehicle systems involves a large scale tech- 
nology infrastructure that is vulnerable to accidental 
or malicious misuse and therefore can jeopardize road 
safety. In particular: 

• Automotive industry manufacturers were con- 
cerned about vehicle intrusion problems, as the 
availability of permanent communication opens 
the door to a myriad of misuse cases that can 
threaten the integrity of vehicle electronics. 

• Public authorities dealing with data protection 
issues were concerned that the availability and 
manipulation of location-oriented data at such a 
high scale would create privacy problems. With- 
out specific measures, the deployment of indi- 
vidual applications could lead to huge agreement 
overhead or, worse, to non-authorization recom- 
mendations. 

The eSecurity Working Group can be viewed as a 
platform for European stakeholders to discuss these 
vulnerability aspects, with the following objectives: 

• Investigation of security needs that address the 
vulnerability of road transport introduced by the 
misuse of networked and co-operative systems. 

• Integration of existing and emerging research 
and technology development (RTD) initiatives in 
order to support the introduction of security tech- 
nologies in parallel to the progress of the technol- 
ogy infrastructure, and to ensure compatibility to 
legal and certification aspects. 

• Provision of qualified recommendations regard- 
ing (1) technology requirements (networks, ar- 
chitecture, systems and components and their in- 
teraction), (2) standardization needs, (3) legal 
provisions. 

The WG will publish before the end of 2008 a re- 
port with two main parts. The first part will provide 
an overall view on security needs (motivation, prereq- 
uisites, state of the art, security analysis, use cases for 



security issues and security requirements). The sec- 
ond part will provide elements for recommendations 
in the area of organization (e.g. related to the under- 
lying public key infrastructure), of quality assurance 
and responsibilities aspects (e.g. related to the inspec- 
tion needs). It will also identify and prioritize research 
challenges. The report should lead to the implemen- 
tation of concerted measures. 

Car2Car Communication Consortium 
C2C-CC Secure Vehicular Communi- 
cation: Results and Challenges Ahead 

Benjamin Weyl, BMW Group Research and Technol- 
ogy 

Car2X communication enables a broad range of 
safety applications. Although this functionality in- 
spires a new era of safety in transportation, new se- 
curity requirements need to be considered in order to 
prevent attacks on these systems. Potential threats, se- 
curity requirements and baseline security concepts of 
the C2C-CC Security Working Group are presented. 
One of the particular interests is trustworthy message 
exchange to ensure reliable, safe system operation, as 
well as the protection of identity and location against 
undesired privacy infringement. Different approaches 
are compared considering efficiency and scalability. 

External communication interfaces, fixed and wire- 
less, have increasingly become an integral part of au- 
tomotive on-board architectures. This development is 
not the least driven by future safety application sce- 
narios. Safety applications based on Car2X communi- 
cation have been identified as a measure for decreas- 
ing the number of fatal traffic accidents. Examples 
for such safety applications are local danger warn- 
ings, traffic light pre-emption, or traffic information 
via road-side units. New security requirements need 
to be considered in order to prevent attacks on these 
systems. Attacks can be manifold: illegally forced 
malfunctioning of safety critical in-vehicular compo- 
nents and the illegal influence of traffic provoked by 
means of fake messages are just two likely possibili- 
ties. 

Baseline 

Digital signatures are a convenient way to provide 
message integrity and authentication. Within the 
C2C-CC Security WG various approaches based on 
digital signatures have been discussed, outweighing 
the advantages and drawbacks with respect to the se- 
curity and privacy requirements, as well as scalability 



and performance constraints. 

The use of long-lived pseudonym certificates fails 
to meet privacy requirements, because it makes vehi- 
cle and profile tracking possible, and node exclusion 
is not possible without the intervention of complex 
certificate revocation lists (CRL). The insufficiency of 
this approach could be fixed by using pseudonymous 
certificates pools, but it is desirable that a node does 
not own multiple simultaneously- valid pseudonyms in 
order to avoid Sybil attacks. Moreover, the revocation 
of such a pseudonym pool does not scale with a large 
number of nodes. Providing vehicles with a short- 
lived pseudonymous certificate, instead of several, 
solves the problem of the Sybil attack while keep- 
ing the benefits of the certificates pool approach |T71 . 
Group signatures meet the privacy and scalability re- 
quirements, however, as computational effort is still 
too high, this mechanism is currently not applicable. 
Thus, the WG has chosen to advocate the use of short- 
lived pseudonymous certificates. Currently, the WG 
is discussing and specifying the appliance of this ap- 
proach based on the C2C-CC reference model. More 
details on the baseline concepts and the activities of 
the WG can be found in the C2C-CC Manifesto 0. 

Challenges Ahead 

In order to prevent attacks where the in- vehicular sys- 
tem is tampered with (e.g., extracting secret mate- 
rial or manipulating the software), further security so- 
lutions are to be developed by combining software 
and hardware measures. More investigation is to be 
put into pseudonym change methods, change rates 
and certificate distribution. Besides technical aspects, 
other discussion areas are commercial requirements, 
regulation and legislation. 

Securing Vehicular Communication 
Systems: Results and Next Steps 

Panos Papadimitratos, EPFL 

Our objective at EPFL, within the SeVeCom 
project 1H, has been to design a baseline architecture 
that provides a sufficient level of protection for users 
and legislators and is practical and deployable. This 
baseline architecture is based on well-established and 
understood cryptographic primitives that can be im- 
plemented on today's hardware and deserve sufficient 
trust because of their existing deployment. It also al- 
lows deployed systems to be tuned or augmented, in 
order to meet more stringent future requirements. 



The fundamental aspects that our architecture seeks 
to address are: identity and cryptographic key man- 
agement, privacy protection, and secure communi- 
cation. Additional problems to address are tamper- 
resistance and detection of faulty (inconsistent) data 
and node actions. In brief, we primarily seek to secure 
communications on the wireless part of the VC sys- 
tem, while protecting sensitive user information, and 
providing the option for node identification when nec- 
essary, e.g., for liability attribution. In other words, 
primary requirements are message authentication, in- 
tegrity, and non-repudiation, as well as protection of 
private user information; a detailed discussion of the 
security requirements and the adversary models is 
available at lfTTl[T6l . 

Towards this end, we have developed an architec- 
ture |[20l[T4l that interoperates both the vehicular com- 
munication and the TCP/IP protocol stacks and re- 
lies on the presence of a Certification Authority (CA) 
and public key cryptography to protect V2V and V2I 
communication. Nodes, vehicles or road-side units 
(i.e., on-board vehicular communication platforms) 
are registered with CA, and each has a unique iden- 
tity and is equipped with a pair of private and public 
keys and a certificate from the CA. These are long- 
term identities, credentials, and cryptographic keys. 
The CA is also responsible for evicting nodes from 
the system, if necessary, either for administrative or 
technical reasons. 

To enhance the user privacy, we rely on the con- 
cept of pseudonymity or pseudonymous authentica- 
tion: we require that each vehicle (node) is equipped 
with multiple certified public keys that do not reveal 
the node identity. The vehicle uses pseudonyms al- 
ternately, and each pseudonym for a short period of 
time without reusing it, so that messages signed under 
different pseudonyms cannot be linked. These short- 
lived keys are used to secure all communications, one- 
or multi-hop, with the senders and the relaying nodes 
of control or data packets signing and verifying them, 
depending on the employed protocol. Cryptographic 
and integrity protection prevent external adversaries 
from modifying and injecting traffic. 

To protect the VC system from internal adversaries, 
i.e., misbehaving nodes equipped with the system cre- 
dentials, we provide revocation methods. At first, 
as long-term credentials are used by vehicles to ob- 
tain new sets of pseudonyms, revocation can be per- 
formed at the entity providing the certification for new 
pseudonyms (which we can be in general different 
than the CA). Nonetheless, to revoke already granted 
and not expired credentials, we provide a Revocation 



of the Trusted Component (RTC) protocol, with the 
CA instructing the TC directly to erase all crypto- 
graphic material and acknowledge the termination of 
operation. In case RTC does not conclude success- 
fully, we provide revocation through the distribution 
of compressed certificate revocation lists, namely, the 
RCCRL protocol, with RSUs acting as a gateway for 
the CRL dissemination and vehicles further relaying 
CRLs to other vehicles in parts of the network not cov- 
ered by RSUs. To complement the eviction and en- 
hance the system robustness against not-yet-revoked 
faulty nodes ifTTl . we provide a localized misbehavior 
detection, a distributed self-protection and misbehav- 
ior evidence collection protocol. 

However, the detection of misbehavior and its at- 
tribution to specific nodes is not an easy task in gen- 
eral. It may be feasible for specific types of devia- 
tion from the protocol (e.g., plausibility checks for 
geographic routing [9]), but hard or even impossible 
for other types of misbehavior. Moreover, due to the 
highly volatile nature of vehicular networks, we can- 
not rely on lengthy interactions between two or more 
vehicles, in order to deduce the trustworthiness of spe- 
cific vehicles. In fact, we realize this is a more general 
problem: We cannot operate exclusively on a priori or 
largely time-invariant trust relations with network en- 
tities. This is especially true if the identity of the data- 
producing entity is secondary, or if it is concealed by a 
privacy-enhancing mechanism. To address this chal- 
lenge, we propose a shift towards data-centric trust: 
Trustworthiness is attributed to node-reported data per 
se. We study this in the context of VC, with vehicles 
collecting reports (data), and we evaluate the trustwor- 
thiness of data reported by other vehicles rather than 
the trustworthiness of the vehicles themselves lfT8l . 

Towards evaluating and enhancing the practical- 
ity of our secure communication architecture and 
protocols, we consider the simplification of the 
management of the short-lived cryptographic keys 
(pseudonyms) and credentials and the satisfaction of 
privacy and security requirements. To achieve this, 
we propose a Hybrid Scheme @ : This is essentially 
a pseudonymous authentication scheme that enables 
nodes to generate their own certified pseudonyms. To 
maintain the degree of privacy protection pseudony- 
mous authentication provides, nodes utilize a group 
signature (GS) scheme. Thus, the most important 
aspect that the Hybrid Scheme changes with respect 
to the "baseline" pseudonymous authentication is the 
computation of pseudonyms and certificates and, con- 
sequently, their validation. Such a scheme is modular, 
usable, efficient, and robust. It eliminates the need for 



pre-loading, storing and refilling pseudonyms and the 
corresponding credentials and private keys, so that ve- 
hicles do not need to be either side-lined, or they are 
not forced to compromise their users privacy if insuf- 
ficient or no pseudonyms are available, or they do not 
need to "over-provision" their pseudonym supply. 

We also investigate how to reduce the cost due to 
security and privacy enhancing technologies. In par- 
ticular, we look at variants of pseudonymous authen- 
tication, as discussed above, and we introduce a set 
of optimizations to reduce processing and communi- 
cation overhead. But we are interested in a more gen- 
eral problem: What is the effect of security and these 
broadly accepted pseudonym-based mechanisms on 
transportation safety? In other words, can, for ex- 
ample, vehicle collisions still be avoided, thanks to 
VC-enabled safety applications, even if security is in- 
tegrated? We set out to answer this question by eval- 
uating the reliability of communication, the process- 
ing load at each node and the overall impact on the 
transportation safety, expressed as the proportion of 
collided vehicles, under various conditions, by bind- 
ing traffic and network simulation. Our results show 
the need for increased processing power, as well as 
the benefits from the proposed optimizations and the 
ability to achieve safety practically at the same level 
as that achieved by an unsecured emergency braking 
alert application lfl31 . 

With the knowledge about how to address a num- 
ber of fundamental issues, and the appropriate tools 
to evaluate our schemes, we have several encouraging 
results and approaches for designing and deploying 
practical secure and privacy-enhancing VC systems 
that also rely on non-cryptographic defense mecha- 
nisms. These systems could then achieve essentially 
the same level of transportation efficiency and safety 
as a system that would operate in a benign environ- 
ment without security. 

PriPAYD: Privacy Friendly Pay-As- 
You-Drive Insurance 

Bart Preneel, K. U. Leuven 

Pay-As-You-Drive (PAYD) [2T] is a new car insur- 
ance model where, in contrast to the traditional pay- 
by-the-year policy, customers are charged depend- 
ing on where and when they drive instead of a fixed 
amount per year. For each kilometer that a car is 
driven the statistical risk of accident, depending on 
the road and the time of the day, is calculated and 
translated to personalized insurance fees. Pay-As- 



You-Drive insurance models are hailed as the future 
of car insurance due to their advantages for users and 
companies Ifl2ll24l . First, the insurance fees applied 
to each user are fairer than those in the pay-by-the- 
year scheme, as customers are only charged for the 
actual kilometers they travel. Second, PAYD policies 
are socially and environmentally beneficial, as they 
encourage responsible driving, decrease the risk of 
accidents (which in turn saves money for users and 
insurers) and reduce energy consumption and pollu- 
tion emissions. Due to all these advantages, PAYD 
insurance policies are being widely developed by in- 
surance companies all over the world like Norwich 
Union [22l (UK), Aioi US (Japan), Hollard Insur- 
ance [10] (South Africa), etc. 

Although PAYD insurance seems to have many ad- 
vantages, most of its current implementations involve 
an inherent threat to user's privacy. The full informa- 
tion used for billing (the time and location of the car) 
is gathered by a black box in the car, and transferred 
to the insurance company (and, in some of the cases, 
to a third company providing the location infrastruc- 
ture). The insurer does the accounting to obtain the 
client's premium and sends the bill by traditional mail, 
together with a user friendly (reduced) version of the 
full GPS data. This model puts service providers in 
a business advantage position. With all the data col- 
lected, new services (traffic information, pollution in- 
formation, etc) can be offered to customers. It also 
allows providers to perform data mining to detect po- 
tential fraud. However, the obvious disadvantage of 
this model is that it is privacy invasive, as the data col- 
lected by the insurance company is sufficient to track 
almost every movement of a car over time. Moreover, 
this collection of personal data raise many legal ques- 
tions, as pointed out in lf2TTl . 

We propose PriPAYD a privacy friendly scheme. 
Our proposed architecture follows closely the 'current 
model' with the exception that the raw and detailed 
GPS data is never provided to third parties. Compu- 
tations transforming the GPS data into billing data are 
performed in the vehicle black box and the insurer re- 
ceives only the billing data instead of the exact ve- 
hicle locations (thus they cannot invade the user's pri- 
vacy) while being sure he is receiving the correct data. 
The client can check that only the allowed data is in 
the insurance company database, and the raw data is 
available for the client (or a judge) to check the cor- 
rectness of the bill. Our techniques also permit easy 
management and the enforcement of the policies by 
the insurer. 

Periodically, the premium for a period of time is 



calculated and the amount to be payed is sent in a 
secure way to the insurance company via GPRS, or 
even the less expensive SMS services. The data is 
signed using the black box key and encrypted under 
the public key of the insurance company. To ensure 
that the black box is not acting maliciously in favor of 
the insurance company, we need to allow a car user 
or owner to audit the billing mechanism. For this 
purpose, we propose the use of an off-the-shelf USB 
memory stick. The data is recorded in an encrypted 
way on this token so that only the policy holder can 
access it, and it is signed by the black box to be us- 
able as evidence. The symmetric encryption key is 
generated by the black box and provided to the policy 
holder in two key shares: one written on the USB stick 
and the other relayed through the insurance company 
and delivered by mail with the bill. A simple mech- 
anism, such as pushing a button on the box for some 
time, allows the encryption key to be reset. 

There is no component or infrastructure required by 
PriPAYD that would make it much more expensive 
than current systems. One could in fact argue that in 
the long run running PriPAYD as any other privacy 
enhanced technology, is less expensive than privacy 
invasive systems. The costs of protecting private data 
stores is often overlooked in the accounting of costs, 
as is the risk of a single security breach leaking the 
location data of millions of policy holders. In addi- 
tion, PriPAYD keeps sensitive data locally in each car, 
in a simple-to-engineer-and-verify system. Requiring 
an off-the-shelf back-end system to provide the same 
level of privacy protection to masses of data would 
make them, not only prohibitively expensive, but sim- 
ply not implementable. 

Panel: "Secure vehicular communi- 
cations: What are the main research 
challenges left?" 

Chair: Jean-Pierre Hubaux 

Panelists: Emilio Davila-Gonzalez (EU Commis- 
sion), Albert Held (Daimler), William Whyte (NTRU) 
Report: Maxim Raya and Jean-Pierre Hubaux 

According to William Whyte, misbehavior detec- 
tion and revocation in vehicular communications re- 
main open problems. The certification of vehicular 
applications (i.e., the end points of communication 
in the IEEE 1609 draft standard) is another unsolved 
problem. Most interesting is the panelist's statement 
that US car-makers favor anonymity of drivers over 
their liability in case of accidents. Hence, misbehav- 



ior would be reported to the CA (Certificate Author- 
ity) only in critical cases and revocation would be car- 
ried out only after a long history of misbehavior. The 
reason for favoring anonymity over driver liability is 
the car-makers' fears of being sued if data obtained 
from vehicular communications causes legal or finan- 
cial damage to drivers (a typical example being that 
of an affair revealed by a private detective, based on 
the vehicular communication traces of the suspected 
spouse's vehicle). 

Albert Held summarized the remaining challenges 
in three components: prevention, detection, and re- 
covery. The main issue in prevention is the possible 
lack of a PKI (Public Key Infrastructure) and of a CA, 
at least in the early stages of deployment. The typical 
services provided by the PKI, such as key manage- 
ment, need to be substituted by intermediate solutions 
until the proper infrastructure is available. In detec- 
tion, the hard question is: What is an attack? It is of- 
ten hard to distinguish between a malicious error and 
a faulty device. Hence, a related question is whether 
a faulty device should also be considered to be an at- 
tack because it causes damage to the system. Last but 
not least, recovery from attacks is also tightly related 
to the notion of fault tolerance. Based on the attack or 
fault, the recovery process should either remove the 
attacker or repair the fault. 

Emilio Davila-Gonzalez described the ongoing and 
future EU proposals related to transport safety and se- 
curity. In his opinion, the remaining challenges are 
the integration of the security architecture into a har- 
monized EU-wide vehicular communication architec- 
ture and the implementation of the proposed security 
solutions in the planned operational field tests of co- 
operative vehicular systems. 

In addition to the panelists, the audience high- 
lighted the following set of additional challenges: 

• Specification of proper requirements for the se- 
curity of vehicular communications. 

• Information aggregation primitives for reducing 
the overhead of information dissemination, con- 
sidering that security might add a high overhead 
to communication. 

• Making security cooperative, among vehicles, 
and reactive instead of the current local, to the 
vehicle, and passive approach (e.g., like anti- 
virus software). 

• Secure positioning, given that both GPS and 
Galileo lack the necessary security mechanisms. 



• To the question about the existence of real se- 
curity threats to vehicular communications, the 
panelists unanimously pointed out that the main 
motivation of car makers are terrorist attacks, es- 
pecially in the US, and the kidnapping threats for 
luxury brands. 

An audio recording of the panel, courtesy 
of Thomas Heydt-Benjamin, is available at: 
http://www.archive.org/details/CryptocracySpecialEpisode001Epfl , V 

Security for Inter-Vehicular Commu- 
nication Mechanisms: What is next? 

Frank Kargl, Elmar Schoch, and Michael Weber, Ulm 
University 

In vehicular communication systems considered by 
many research projects (e.g., Fleetnet, VSC, Network- 
on-Wheels, VII, CVIS, Safespot) and standardiza- 
tion groups (e.g., IEEE 802.1 lp and 1609.x, ISO- 
CALM, Car-2-Car Communication Consortium) we 
have identified a recent trend away from classic com- 
munication patterns and towards more sophisticated 
forms of communication. 

Earlier research mostly addressed the following 
communication patterns: 

Beaconing: direct and periodic broadcast of mes- 
sages to all neighbors reachable via the wireless radio. 

Flooding and Geocast: (Potentially also periodic) 
distribution of broadcast messages where receivers act 
as relays. Distribution is usually restricted by time-to- 
live (TTL) counters or a geographic destination area 
in case of Geocast 

Position-based Routing: In contrast to topology- 
based routing that is often used in MANETs, position- 
based routing has proven to be superior for vehicular 
networks. 

Up to now, these mechanisms are mainly regarded 
in work on security and privacy of vehicular networks. 
Recently, research on vehicular communication has 
begun to suggest more advanced means of informa- 
tion dissemination and this, of course, necessitates an 
adaption of security and privacy mechanisms. Before 
addressing those issues, we first give some examples 
of such communication mechanisms. 

Various publications highlight the need for more 
efficient flooding and Geocast strategies. Depending 
on network parameters like node density or topology, 
e.g., Gossiping decreases the probability by which a 
node relays a received packet. This can lead to signif- 
icant increase of network efficiency. 



The so-called Context-adaptive Message Dissemi- 
nation introduces the idea of contextual relevance for 
the dissemination of information. Based on parame- 
ters such as the source location or the age of an in- 
formation, the node estimates the relevance of an in- 
formation to its neighboring nodes and preferably for- 
wards messages with higher relevance. A modified 
medium access scheme even allows inter-node priori- 
tization based on this relevance. Overall, the available 
bandwidth is used primarily to forward information 
that is important in the current context, whereas less 
relevant information is delayed or discarded. 

Aggregation goes even one step further. When a 
node receives data from neighboring nodes, it does not 
immediately forwarded them. Instead a node checks 
if it can aggregate this information with other infor- 
mation received earlier or generated locally. E.g., in 
a traffic jam, many nodes will report similar data, e.g. 
low speeds. This can easily be aggregated, to directly 
reduce the amount of communicated data. 

From a security and privacy point of view, Gos- 
siping, Context-adaptive Message Dissemination, and 
Aggregation, by themselves already, provide an aston- 
ishing degree of resistance against attacks. In contrast 
to many routing protocols, there is (almost) no sig- 
nalling between nodes that an attacker could exploit. 
Essentially an attacker is limited to Denial-of-Service 
attacks or modification/forging of information. 

This however can hardly be addressed by tra- 
ditional, crypto-based security mechanisms alone. 
Those mechanisms often provide a sender-centric se- 
curity where the sender of a message protects it from 
modification by means of signatures or from eaves- 
dropping by encryption. Furthermore, those mech- 
anisms often assume a mostly static packet content 
that is disseminated in the network with only minimal 
changes, e.g. decreasing a TTL in the packet header. 

Whereas this assumption might hold in the case of 
Gossiping, information may already be re-arranged to 
new packets in the case of Context-adaptive Message 
Dissemination. When using aggregation mechanisms, 
individual information usually is lost during the dis- 
semination process. 

Hence, the sender- and packet-oriented approach 
to security needs to be replaced or augmented by 
a data-oriented approach where mechanisms like 
consistency-checks using redundant information or 
real-world sensors are used to discard incorrect in- 
formation from the network and where rate-limits re- 
strict the effects of Denial-of-Service attacks. Initial 
exploration of such mechanisms has already delivered 
promising results. 



Secure and Privacy-Enhanced Geo- 
cast: Results and Challenges 

Andreas Festag, NEC Germany GmbH, Heidelberg, 
Germany 

Geocast is a network protocol for ad hoc and mul- 
tihop communication with short-range wireless tech- 
nology, such as IEEE 802.11. It utilizes geograph- 
ical positions for addressing and packet routing and 
provides various forwarding schemes, including geo- 
graphical unicast, broadcast and anycast. It quickly 
adapts to frequent network topology changes and nat- 
urally supports the distribution of data packets in ge- 
ographical target areas. Hence Geocast is particularly 
suited for vehicular networks targeting at road safety 
and travel comfort applications. For a sustainable de- 
ployment of Geocast in realistic environments, secu- 
rity and privacy are inevitable components. 

Security objectives for Geocast cover integrity, au- 
thentication, and non-repudiation of packet header 
and payload, including: (i) cryptographic protection 
based on digital signatures and certificates, (ii) plau- 
sibility checks of fields earned in the network header 
and their local confidence assessment, (iii) trustwor- 
thy forwarding and network isolation compromised 
nodes, and (iv) rate control to prevent forwarding of 
massively injected data. For the cryptographic primi- 
tives, we distinguish between immutable and mutable 
header fields, which indicate whether the fields can be 
changed in the forwarding process or not, and com- 
bine hop-by-hop and end-to-end signatures to protect 
the mutable and immutable fields, respectively. 

Privacy ensures that a node - source, forwarder, 
and receiver - is not identifiable. It hides personal 
data such as location, speed, and heading, but it 
allows a node to reveal its identity to other nodes 
for reasons such as reputation and session estab- 
lishment or for legal authorities. The core con- 
cept for achieving privacy is based on the use of 
pseudonyms. In order to prevent tracking, a node 
changes pseudonyms frequently. Privacy-enhanced 
Geocast implies solutions for (i) a cross-layer address- 
ing concept for MAC, GeoCast and IPv6 addresses 
derived from pseudonyms, (ii) control of effective 
pseudonym changes, (iii) mitigation of the impact by 
pseudonym changes on routing, and (iv) a pseudonym 
resolution service for (re-)establishment of communi- 
cation sessions. 

The solution for secure and privacy-enhanced Geo- 
cast is implemented in a software prototype for ve- 
hicular communication based on IEEE 802. 1 1 [3 ] and 
serves as the basis for ongoing and future R&D efforts 
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Figure 1 : Main components 

and projects. As complements to the existing solution, 
a number of challenges can be identified, from which 
we highlight these: 

• Hardware acceleration for cryptographic oper- 
ations in order to meet real-time delay require- 
ments of road safety applications J9l and to al- 
low for an advanced forwarding scheme that pre- 
sume a negligibly small processing delay (e.g., 
contention-based forwarding). 

• Integration of communication protocols for ve- 
hicular networks with wireless sensor net- 
works^] (WSN), secure the aggregation and dis- 
tribution of data, and secure access to stored in- 
formation in the sensors. 

• Deployment of advanced PKI concepts with in- 
herent support of user privacy, as described 
in 13. 
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